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I.  Introduction 

A  cyber  physical  system  (CPS)  [1]  is  a  collection  of  physical  devices  networked  by  a  cyber 
infrastructure  with  integrated  sensing,  communications,  and  control.  A  defining  feature  of  CPS 
is  coordinated  operations  based  on  data  collected  from  sensors  deployed  throughout  the  system. 
Major  examples  of  CPS  include  power  grids,  intelligent  transportation  systems,  and  networked 
robotics. 

An  essential  signal  processing  component  of  many  CPSs  is  real-time  state  estimation  based  on 
sensor  measurements  [2].  The  state  estimate  provides  a  CPS  with  the  real-time  monitoring  and 
control  capability.  For  instance,  the  state  estimate  of  a  power  grid  facilitates  real-time  economic 
dispatch,  contingency  analysis,  and  computation  of  real-time  electricity  price  [2]. 

The  dependency  of  CPS  on  data  communications  makes  it  vulnerable  to  cyber  attacks  where  an 
adversary  may  break  into  the  network,  collect  unauthorized  information,  and  intercept  and  alter 
sensor  data.  Because  measurements  are  collected  over  a  wide  geographical  area  by  distributed 
data  acquisition  systems,  sometimes  through  wireless  links,  communications  networks  that  sup¬ 
port  modern  CPSs  have  numerous  points  of  vulnerabilities  [3],  [4].  For  critical  infrastructures 
such  as  a  power  grid,  a  well  planned  coordinated  attack  may  lead  to  a  cascading  failure  and  a 
regional  blackout  [5]. 

To  assess  vulnerability  of  CPS  to  possible  cyber  attacks,  it  is  important  to  study  potential 
attack  mechanisms.  In  this  paper,  we  consider  an  adversary  who  can  modify  certain  sensor  data 
such  that  the  corrupted  data  will  mislead  the  CPS  control  with  a  wrong  state  estimate.  We  refer 
to  such  a  data  attack  on  state  estimation  as  a  state  attack.  A  major  challenge  of  state  attack  is 
to  avoid  being  detected  and  identified  by  the  fusion  center. 

In  the  literature,  successful  state  attacks  on  a  CPS,  in  particular  a  power  grid,  have  been 
reported.  Liu,  Ning,  and  Reiter  [6]  presented  the  first  state  attack  strategy,  where  an  adversary 
replaces  part  of  “normal”  sensor  data  with  “malicious  data.”  They  showed  that  if  an  adversary 
can  control  a  sufficiently  large  number  of  sensor  data,  it  can  perturb  the  state  estimate  by  an 
arbitrary  degree  while  avoiding  detection  at  the  control  center.  Subsequent  works  along  this  line 
uncovered  numerous  attack  and  protection  mechanisms  [7]— [14]. 

Most  proposed  attack  schemes  require  considerably  detailed  system  information.  In  particular, 
the  network  topology  and  physical  system  parameters  are  often  required  to  construct  attacks. 
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Although  such  information  may  be  obtained  by  penetrating  the  control  center,  security  measures 
can  make  it  difficult  in  practice  to  access  such  information. 

A.  Summary  of  contributions 

We  consider  the  problem  of  data-driven  attacks  on  state  estimation,  assuming  that  the  adversary 
is  capable  of  monitoring  a  subset  of  system  measurements  without  detailed  knowledge  of  the 
network  topology  and  system  parameters.  The  key  idea  in  the  proposed  approach  is  to  exploit 
the  subspace  structure  of  the  measurements,  in  the  same  spirit  of  subspace  techniques  in  array 
processing  [15],  beamforming  [16],  and  system  identification  [17], 

The  main  contribution  of  this  paper  is  the  development  of  subspace  techniques  for  state  attack. 
To  this  end,  we  present  two  techniques  with  different  characteristics.  First,  we  show  a  construction 
of  an  unobservable  attack  based  on  the  estimated  subspace  structure  of  measurements.  We 
show  further  that,  in  constructing  the  attack,  under  certain  conditions,  monitoring  only  partial 
measurements  may  be  sufficient.  In  particular,  we  present  a  graph  theoretic  condition  for  the 
existence  of  an  unobservable  attack  under  the  partial  measurement  model. 

The  second  subspace-based  attack  exploits  the  bad  data  detection  and  removal  mechanisms. 
In  particular,  the  attack  purposely  triggers  the  bad  data  detection,  but  it  is  designed  to  mislead 
the  fusion  center  to  remove  data  that  are  not  tempered  by  the  adversary  while  keeping  some  of 
the  falsified  data.  After  such  data  removal,  although  the  remaining  data  appear  to  be  consistent 
with  the  system  model,  the  resulting  state  estimate  may  have  an  arbitrarily  large  error.  We  refer 
to  this  type  of  attack  as  data  framing  attack  in  the  sense  that  valid  data  are  “framed”  by  the 
adversary  and  removed  incorrectly  by  the  fusion  center. 

To  demonstrate  the  effectiveness  of  these  attacks,  we  consider  the  problem  of  state  estimation 
in  a  power  system  as  a  practical  example  of  CPS.  To  this  end,  we  consider  the  IEEE  14-bus 
network  and  the  IEEE  118-bus  network  [18]. 

An  additional  complexity  of  the  power  system  is  that  the  system  observation  is  a  nonlinear 
function  of  the  system  state.  This  raises  the  issue  of  whether  attacks  constructed  from  a  linear 
model  is  effective  in  a  nonlinear  system.  While  we  do  not  have  theoretical  guarantees,  simulation 
results  show  that  the  subspace-based  data  attacks  perform  well  in  the  presence  of  nonlinearity 
in  system  equations. 
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B.  Related  work  and  organization 

This  paper  extends  some  of  the  key  results  on  state  attacks  that  assume  that  the  system 
parameters  and  the  network  topology  are  known  to  the  attacker.  We  describe  below  some  of  the 
relevant  techniques. 

There  is  a  substantial  literature  on  state  attacks  when  the  system  parameter  and  the  network 
topology  are  known.  Liu,  Ning,  and  Reiter  [6]  first  introduced  an  unobservable  attack  on  power 
system  state  estimation,  which  can  perturb  the  state  estimate  without  being  detected  by  the  bad 
data  detector  at  the  fusion  center.  Following  their  seminal  work,  the  link  between  feasibility 
of  an  unobservable  attack  and  power  system  observability  was  made  in  [7],  [8].  Consequently, 
classical  power  system  observability  conditions  [19]  can  be  modified  to  check  feasibility  of 
unobservable  attacks  and  used  to  develop  countermeasures  based  on  sensor  data  authentication 
[7]— [10],  [12],  [20],  [21],  To  assess  the  grid  vulnerability  against  data  attacks,  the  minimum 
number  of  adversary-controlled  sensors  necessary  for  an  unobservable  attack  was  suggested  as 
the  security  index  of  the  grid  [8],  [22].  The  data  framing  attack,  when  the  system  parameters 
are  known,  was  first  proposed  in  [23]  to  circumvent  the  fundamental  limit  posed  by  the  security 
index. 

There  is  limited  work  on  state  attacks  without  system  information  or  with  partial  system 
information.  The  use  of  independent  component  analysis  in  [13]  is  the  most  relevant.  The  authors 
of  [13]  proposed  to  identify  a  mixing  matrix  from  which  to  construct  an  unobservable  attack. 
However,  such  techniques  require  that  loads  are  statistically  independent  and  non-Gaussian, 
and  the  techniques  need  full  sensor  observations.  Generating  unobservable  attacks  using  partial 
parameter  information  was  considered  in  [14],  The  authors  in  [14]  showed  that  an  adversary 
knowing  impedance  of  transmission  lines  in  a  cutset  of  the  network  topology  can  construct 
an  unobservable  attack.  However,  how  an  adversary  can  learn  local  parameters  is  nontrivial.  In 
contrast  to  the  aforementioned  approaches,  our  method  requires  no  system  parameter  information, 
and  it  can  be  launched  with  only  partial  sensor  observations. 

Attacks  were  also  studied  in  the  framework  of  a  general  dynamic  CPS,  under  the  assumption 
of  an  omniscient  adversary.  For  instance,  an  attack  on  a  linear  control  system  equipped  with 
a  linear-quadratic-Gaussian  controller  was  studied  in  [24],  Detectability  and  identifiability  of 
attacks  on  general  CPS  operations  was  characterized  in  [25].  The  model  considered  in  these 
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papers  is  more  general  than  the  static  model  studied  here.  However,  their  assumption  of  an 
adversary  with  complete  system  information  is  stronger  than  that  in  the  present  work. 

The  rest  of  this  paper  is  organized  as  follows.  Section  II  introduces  the  measurement  model,  the 
mathematical  model  of  state  estimation  and  bad  data  processing,  and  the  attack  model.  Section  III 
presents  the  subspace  methods  of  unobservable  attack,  and  Section  IV  presents  the  subspace 
methods  of  data  framing  attack.  In  Section  V,  the  results  from  simulations  with  benchmark 
power  grids  are  presented.  Finally,  Section  VI  provides  concluding  remarks. 

II.  Mathematical  models 

A.  Notations 

An  upper  case  boldface  letter  ( e.g .,  H)  denotes  a  matrix,  a  lower  case  boldface  letter  (e.g.,  x) 
denotes  a  vector,  and  a  script  letter  (e.g.,  A,  S)  denotes  a  set.  The  entry  of  H  at  the  it h  row  and 
the  jth  column  is  denoted  by  II  ,,  and  the  Ah  entry  of  x  is  denoted  by  xt .  In  addition,  CR(H) 
and  N(H)  denote  the  column  space  and  the  null  space  of  H  respectively.  And,  I  denotes  an 
identity  matrix  with  an  appropriate  size. 

B.  Measurement  model 

The  system  state  of  a  CPS  is  defined  as  a  vector  of  variables  that  characterize  the  current 
operating  condition  of  the  CPS.  We  assume  centralized  state  estimation  at  the  fusion  center. 
For  real-time  estimation  of  the  system  state  x  e  M",  the  fusion  center  collects  measurements 
from  sensors  deployed  throughout  the  system.  Generally,  the  sensor  measurements  are  related 
to  the  system  state  x  in  a  nonlinear  fashion,  and  the  relation  can  be  described  by  the  nonlinear 
measurement  model  (e.g.,  the  AC  model  for  a  power  grid  [26]): 

z  =  h(x)  +  e,  (1) 

where  z  e  R?"  is  the  measurement  vector,  h  ( • )  is  the  measurement  function,  and  e  is  the  Gaussian 
measurement  noise. 

If  some  sensors  malfunction  or  an  adversary  injects  malicious  data,  the  fusion  center  observes 
biased  measurements, 

z  =  /i(x)  +  e  +  a,  (2) 
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where  a  represents  a  deterministic  bias.  In  such  a  case,  the  data  are  said  to  be  bad ,  and  the 
biased  sensor  entries  are  referred  to  as  bad  data  entries.  The  bad  data  vector  is  typically  sparse, 
and  its  support  is  unknown  to  the  fusion  center.  If  a  is  injected  by  an  adversary,  a  is  constrained 
by  its  support. 

In  analyzing  the  attack  effect  on  state  estimation,  we  adopt  a  linearization  of  (1)  around  a 
nominal  state  x0: 

z  =  h(x0)  +  H(x  -  x0)  +  e,  (3) 

where  H  e  Mmxn  is  the  measurement  matrix  that  relates  the  system  state  to  the  measurement 
vector,  and  e  is  the  Gaussian  measurement  noise  with  a  covariance  matrix  cr2I.  Without  loss  of 
generality,  we  assume  that  both  //.(x0)  and  x0  are  zero  vectors1  and  employ  the  following  model: 

z  =  Hx  +  e.  (4) 

A  system  is  said  to  be  obserx’able  if  the  measurement  matrix  H  has  full  column  rank  ( i.  e. , 
x  can  be  uniquely  determined  from  Hx.)  System  observability  is  essential  for  state  estimation. 
In  practice,  sensors  should  be  placed  in  the  network  to  satisfy  observability.  Hence,  we  assume 
that  the  CPS  of  interest  is  observable,  i. e. ,  H  has  full  column  rank. 

In  practice,  the  nonlinear  system  and  the  nonlinear  iterative  state  estimation  techniques  have 
a  certain  mitigating  effect  on  attacks  designed  based  on  a  linear  model  [27],  It  is  therefore 
important  to  validate  performance  of  an  attack  strategy  based  on  the  nonlinear  model  (1)  using  a 
nonlinear  state  estimator.  Note  that,  while  our  attacks  are  constructed  based  on  (4),  our  numerical 
experiments  validate  their  performance  using  the  original  nonlinear  system  (1)  with  a  nonlinear 
state  estimator. 

C.  State  estimation  and  bad  data  processing 

This  section  introduces  a  popular  approach  to  state  estimation  and  bad  data  processing  [26], 
[28],  which  we  assume  to  be  employed  by  the  fusion  center.  The  specific  approach  is  a  widely 
used  standard  implementation  in  the  power  grid  where  the  number  of  states  is  in  the  order  of 
10,000,  and  the  estimates  are  made  every  few  minutes. 

*For  general  cases,  we  can  simply  treat  zi  =  z  —  h(x. o)  and  xi  =  x  —  xo  as  the  measurement  vector  and  the  state  vector 
and  work  with  zi  =  Hxi  +  e. 
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Fig.  1.  State  estimation  and  bad  data  processing 


Fig.  1  illustrates  an  iterative  scheme  for  obtaining  an  estimate  x  of  the  system  state,  which 
consists  of  three  functional  blocks:  state  estimation,  bad  data  detection,  and  bad  data  identifica¬ 
tion. 

The  assumed  state  estimator  is  based  on  the  maximum  likelihood  principle  and  is  implemented 
in  a  recursive  manner.  Iterations  begin  with  the  initial  measurement  vector  z(1)  =  z  and  the  initial 
measurement  function  h  l  l>  =  h  where  the  superscript  denotes  the  index  for  the  current  iteration. 

In  the  kth  iteration,  state  estimation  uses  fzi:/,'k  hik))  as  an  input  and  calculates  the  least  squares 
(LS)  estimate  of  the  system  state  and  the  corresponding  residue  vector: 


x(fc)  =  argminx  —  ||z^  —  /z(fc)(x)||,, 
a2 


(5) 


r(fc)  A  z(fc)  _ 

where  ||  •  ||2  denotes  l2  norm.  In  practice,  the  above  nonlinear  LS  estimate  can  be  obtained  by 
iteration  of  a  linearized  LS  estimation  using  Newton-Raphson  or  quasi-Newton  methods  [26]. 
Bad  data  detection  employs  the  J(x)-test  [26],  [28]: 


bad  data  if  —  Ir^lln  >  r 


crz 


(6) 


good  data  if  —  ||r^|||  < 
a2 

where  T(k>  is  a  predetermined  threshold.  The  J(x)-test  is  widely  used  due  to  its  simplicity  and 
the  fact  that  the  test  statistic  has  a  x2  distribution  if  the  data  are  good  [28].  The  latter  fact  is 
used  to  set  the  threshold  r(k>  for  a  given  false  alarm  constraint. 
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If  the  bad  data  detector  (6)  declares  that  the  data  are  good,  the  algorithm  returns  the  state 
estimate  x'k>  and  terminates.  However,  if  the  bad  data  detector  declares  that  the  data  are  bad,  bad 
data  identification  is  invoked  to  identify  and  remove  one  bad  data  entry  from  the  measurement 
vector. 

A  widely  used  criterion  for  identifying  a  bad  data  entry  is  the  normalized  residue  [26],  [28]: 
each  :rf  l  is  divided  by  its  standard  deviation  under  the  hypothesis  that  z!k)  contains  no  bad  data. 
Therefore,  each  normalized  residue  approximately  follows  the  standard  normal  distribution  if 
zP^  contains  no  bad  data.  Specifically, 


f(fc)  A  Q{k)r(k) 


where  is  a  diagonal  matrix  with 


0 


and  W(fc)  is  defined  as 


if  removing  i  makes 

the  system  unobservable2; 

otherwise; 


I  -  (fc))T 


(7) 


(8) 


(9) 


with  denoting  the  Jacobian  of  h ^  at  (see  Appendix  of  [28]  for  details.) 

Once  the  normalized  residue  is  calculated,  the  sensor  with  the  largest  |f^|  is  identified  as 
a  bad  sensor.  The  row  of  z(/7  and  the  row  of  h<k>  that  correspond  to  the  bad  sensor  are  removed, 
and  the  updated  measurement  vector  z(k+l)  and  measurement  function  h(kH  1 1  are  used  as  the 
inputs  for  the  next  iteration. 

Using  the  linearized  model  (4),  every  step  is  the  same  as  using  the  nonlinear  model,  except 
that  the  nonlinear  measurement  function  /i^(x)  is  replaced  with  the  linear  function  ITfcjx  (so, 
the  Jacobian  is  the  same  everywhere.)  Note  that  the  LS  state  estimate  (5)  is  replaced  with  a 
simple  linear  LS  solution: 

x(fc)  =  ((H^^H^)-^®)^,  (10) 


2If  removing  the  sensor  i  makes  the  system  unobservable,  its  residue  is  always  equal  to  zero  [26],  and  the  corresponding 
diagonal  entry  of  is  zero.  For  such  a  sensor,  the  normalizing  factor  is  0  such  that  its  normalized  residue  is  equal  to  0. 
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and  thus 

r(fc)  —  z(fc)  _  jj(fc)x(fc)  —  \ y(fc)z(fc)  (U) 

D.  Adversary  model 

An  adversary  is  assumed  to  be  capable  of  modifying  the  data  from  a  subset  of  sensors  SA, 
referred  to  as  adversary  sensors.  The  fusion  center  observes  corrupted  measurements  z  instead 
of  the  real  measurements  z.  The  adversarial  modification  is  mathematically  modeled  by: 

z  =  z  +  a,  a  G  .A,  (12) 

where  a  is  an  attack  vector,  and  A  is  the  set  of  feasible  attack  vectors  defined  as 

A  =  {a  G  Mm  :  at  =  0,  Vi  £  SA}.  (13) 

Liu,  Ning,  and  Reiter  [6]  presented  an  unobsen’able  attack,  which  is  a  powerful  attack 
mechanism  capable  of  perturbing  the  state  estimate  without  being  detected.  An  unobservable 
attack  can  be  formally  defined  as  follows. 

Definition  2.1:  Given  a  measurement  vector  z  corresponding  to  a  state  x,  i.e.,  z  =  Hx  +  e, 
a  state  attack  a  G  A  is  unobservable  if  there  exists  a  state  x^x  such  that  z  +  a  =  Hx  +  e. 

The  following  Lemma  shows  the  algebraic  property  of  the  attack;  it  follows  immediately  from 
the  definition. 

Lemma  2.1:  A  state  attack  is  unobservable  if  and  only  if  a  ^  0,  and  a  G  A('H)  fi  A. 
Furthermore,  if  a  is  unobservable,  so  is  7  •  a  for  any  nonzero  7  G  K,  and  ||x  —  x||2  -G  00 

as  7  — G  00. 

The  feasibility  of  an  unobservable  attack  is  closely  related  to  the  concept  of  system  observ¬ 
ability.  In  particular,  the  following  connection  was  found  in  [8]. 

Theorem  2.1  ([8]):  An  unobservable  attack  is  feasible  if  and  only  if  removing  the  adversary 
sensors  makes  the  grid  unobservable  (i.e.,  the  measurement  matrix  does  not  have  full  column 
rank.) 

Proof:  See  Appendix  A.  ■ 
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III.  Subspace  methods  for  unobservable  attack 

Most  existing  works  on  an  unobservable  attack  assumed  that  an  adversary  knows  the  measure¬ 
ment  matrix  H.  In  contrast,  this  section  presents  a  design  of  an  unobservable  attack  based  on  the 
system  measurement  subspace,  without  knowledge  of  H.  Employing  the  linearized  measurement 
model  (4),  we  will  present  the  conditions  under  which  an  unobservable  attack  can  be  constructed 
based  on  the  subspace  information.  We  also  demonstrate  a  condition  that  guarantees  the  design 
of  an  unobservable  attack  based  on  partial  sensor  measurements;  for  an  attack  on  a  power  grid, 
this  condition  is  characterized  as  a  graph  condition  on  the  network  topology. 

A.  Feasibility  of  an  unobservable  attack 

Note  that  designing  an  unobservable  attack  is  equivalent  to  finding  a  nonzero  vector  in  31(H) 
satisfying  the  sparsity  pattern  defined  by  A.  Therefore,  an  unobservable  attack,  if  feasible,  can 
be  launched  by  using  a  basis  matrix  U  £  Mmxn  of  31(H)  without  knowing  H,  as  stated  in  the 
following  theorem.  Formally,  we  refer  to  31(H)  as  the  measurement  subspace  because  it  is  the 
subspace  of  all  possible  noiseless  measurements. 

Theorem  3.1:  Let  U  be  any  basis  matrix  of  31(H)  and  U  a  submatrix  of  U  obtained  by 
removing  the  rows  corresponding  to  the  adversary  sensors.  Then,  the  following  are  true: 

1)  An  unobservable  attack  is  feasible  if  and  only  if  U  does  not  have  full  column  rank. 

2)  When  feasible,  an  unobservable  attack  can  be  constructed  using  U:  for  a  nonzero  vector 
v  £  N(U),  a  =  Uv  is  an  unobservable  attack  vector. 

Proof:  See  Appendix  B.  ■ 

Note  that  in  constructing  the  unobservable  attack  vector  Uv,  all  that  is  necessary  is  a  basis 
matrix  U  of  31(H). 

B.  Unobserx’able  attack  with  partial  measurements 

In  this  section,  we  show  that  an  unobservable  attack  can  be  constructed  using  the  subspace 
information  of  partial  sensor  measurements.  To  formally  state  the  result,  we  need  the  notion  of 
a  critical  set  of  sensors  [26]  and  partial  observability  defined  as  follows. 

Definition  3.1:  A  set  of  sensors  is  called  a  critical  set  if  removing  the  set  of  sensors  from  the 
system  renders  the  system  unobservable  while  removing  any  strict  subset  of  it  does  not.  Let  S 
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and  X  denote  a  subset  of  sensors  and  a  subset  of  state  variables  respectively.  The  state  variables 
in  X  are  said  to  be  observable  with  respect  to  S  if  the  state  variables  in  X  can  be  uniquely 
determined  based  on  measurements  from  S3.  When  the  state  variables  in  X  are  observable  with 
respect  to  S,  a  subset  C  of  S  is  a  critical  set  with  respect  to  (S,  X)  if  removing  C  from  S  makes 
the  state  variables  in  X  no  longer  observable  with  respect  to  S  while  removing  a  strict  subset  of 
C  from  S  does  not. 

Consider  a  subset  of  sensors  SG.  Let  XG  denote  the  set  of  state  variables  whose  values  affect 
measurements  from  the  sensors  in  SQ  (/.<?.,  the  |S0|  by  n  submatrix  H0  of  H,  consisting  of  the  rows 
corresponding  to  the  sensors  in  SG,  has  nonzero  columns  exactly  at  the  columns  corresponding 
to  the  state  variables  in  XQ.) 

The  following  theorem  provides  the  conditions  under  which  an  unobservable  attack  can  be 
constructed  based  on  the  subspace  information  of  measurements  from  S0.  The  conditions  roughly 
mean  that  (i)  based  on  measurements  from  SQ,  one  can  uniquely  identify  the  relevant  state 
variables  (/.<?.,  the  variables  in  XOJ)  and  (ii)  SQ  contains  a  set  of  sensors,  which,  if  controlled  by 
an  adversary,  is  sufficient  for  launching  an  unobservable  attack  and  is  also  critical  with  respect 
to  (So,  Xo). 

Theorem  3.2:  Suppose  that 

1)  the  state  variables  in  XD  are  observable  with  respect  to  SQ, 

2)  C  C  S0  is  a  critical  set  with  respect  to  (SG,  X0),  and 

3)  removing  C  makes  the  system  unobservable. 

Let  H0  e  IRlSolxn  denote  the  submatrix  of  H  obtained  by  retaining  only  the  rows  corresponding 
to  the  sensors  in  SQ.  Then,  the  following  are  true: 

1)  Let  A0  denote  the  set  of  vectors  in  lk(H0)  such  that  b  e  T(H0)  is  in  A0  if  and  only  if  the 
rows  of  b  corresponding  to  the  sensors  in  SQ  \  C  are  equal  to  zero.  Then,  the  dimension 
of  A0  is  one. 

2)  For  an  arbitrary  nonzero  aG  e  AQ,  the  attack  that  modifies  the  sensor  data  from  C  by 
adding  the  corresponding  entries  in  aG  to  the  real  data  is  unobservable. 

3In  other  words,  every  element  of  N(HS)  has  zero  entries  for  the  rows  corresponding  to  the  state  variables  in  X,  where 
Hs  £  R|s|x"  is  the  submatrix  of  H  obtained  by  retaining  only  the  rows  corresponding  to  the  sensors  in  S. 
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Proof:  See  Appendix  C.  ■ 

Note  that  A0  in  Theorem  3.2  can  be  fully  characterized  based  on  a  basis  matrix  of  fk(H0). 
The  following  corollary  provides  the  detail  of  how  an  attack  can  be  constructed  from  a  basis 
matrix  of  fR(H0). 

Corollary  3.2.1:  Suppose  that  the  conditions  1),  2),  and  3)  of  Theorem  3.2  hold.  Let  U0  G 
Rl‘so|xl:xo  denote  a  basis  matrix  of  fR(H0)  and  UQ  denote  a  submatrix  of  UG  obtained  by  removing 
the  rows  corresponding  to  the  sensors  in  C.  Then,  the  following  are  true: 

1)  The  dimension  of  N(U0)  is  one. 

2)  For  any  nonzero  vector  v  G  N(U0),  the  attack  that  modifies  the  sensor  data  from  C  by 
adding  the  corresponding  entries  in  UQv  to  the  real  data  is  unobservable. 

The  three  conditions  of  Theorem  3.2  are  all  related  to  system  observability  or  partial  observ¬ 
ability.  In  case  of  a  power  grid,  system  observability  and  partial  observability  can  be  checked 
based  on  partial  information  about  the  grid  topology  and  sensor  locations.  In  particular,  the 
graph- theoretical  observability  criterion  in  [19]  can  be  employed. 

A  power  grid  is  a  network  of  buses  connected  by  transmission  lines.  The  topology  of  a  grid 
is  naturally  defined  as  an  undirected  graph  9  =  (V,  £)  where  V  is  the  set  of  buses,  and  £  is 
the  set  of  connected  transmission  lines:  {i,j}  is  in  £  if  and  only  if  there  exists  a  connected 
transmission  line  between  bus  i  and  bus  j.  We  consider  two  types  of  legacy  sensors:  line  flow 
sensors  and  bus  injection  sensors.  A  line  flow  sensor  located  on  a  line  {i,j}  measures  the  power 
flowing  through  the  line  either  from  bus  i  to  bus  j  or  from  bus  j  to  bus  i.  A  bus  injection  sensor 
on  bus  i  measures  the  total  power  injected  into  the  network  at  bus  i  (see  Appendix  F  for  the 
details  of  the  sensor  measurements.) 

The  following  corollary  presents  the  graph  conditions  that  imply  the  conditions  of  Theorem  3.2 
for  an  attack  on  a  power  grid  state  estimation.  Appendix  F  provides  the  details  of  the  graph- 
theoretical  observability  criterion  in  [19],  which  directly  results  in  the  following  corollary  from 
Theorem  3.2.  To  state  the  corollary,  we  need  to  introduce  the  concept  of  a  reduced  power 
network.  Given  a  subset  SQ  of  sensors,  the  reduced  network  consists  of  the  sensors  in  SQ  and 
the  topology  9  =  (V,  £),  where  {j,  j}  is  in  £  if  and  only  if  a  line  flow  sensor  on  {i,j}  is  in 
S0,  or  an  injection  sensor  at  bus  i  or  bus  j  is  in  SG,  and  V  consists  of  all  the  endpoints  of  the 
lines  in  £.  For  instance,  in  the  IEEE  118-bus  network,  Fig.  2  describes  a  reduced  network  for 
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Fig.  2.  A  part  of  the  IEEE  118-bus  network:  Rectangles  represent  the  sensor  locations.  Every  bus  has  an  injection  sensor,  and 
every  line  has  line  flow  sensors  for  both  directions. 


S0  consisting  of  the  circled  sensors.  In  this  example,  the  vertices  and  edges  inside  the  dashed 
boundary  form  9- 

Corollary  3.2.2:  Let  SG  be  a  subset  of  sensors,  9  =  (V,  £)  the  topology  of  the  reduced  network 
for  S0,  and  C  a  subset  of  SG.  Suppose  that 

1)  There  exists  a  cut  of  the  grid  topology  9  such  that  C  consists  of  all  line  flow  sensors  on 
the  cutset  lines  and  all  injection  sensors  on  the  endpoints  of  the  cutset  lines. 

2)  For  every  sensor  s  in  C,  there  exists  a  way  to  assign  each  injection  sensor  in  (S0  \  6)  U  {s} 
to  a  line  incident  to  the  bus  where  the  sensor  is  located4  such  that  there  exists  a  spanning 
tree  of  9  with  at  least  one  sensor  in  (SQ  \  C)  U  {s}  on  every  edge  of  the  tree  (either  a  line 
flow  or  an  assigned  injection  sensor.) 

4In  other  words,  for  an  injection  sensor  located  at  bus  i,  we  assign  the  injection  sensor  to  one  of  the  lines  that  are  incident 
to  bus  i.  We  do  this  for  each  injection  sensor  in  (So  \  C)  U  {s}. 
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Then,  the  conditions  of  Theorem  3.2  hold,  and  thus  the  statements  in  Theorem  3.2  and  Corol¬ 
lary  3.2.1  hold. 

Note  that  the  conditions  of  Corollary  3.2.2  are  related  to  the  topology  and  the  sensor  locations 
in  the  reduced  network.  Therefore,  an  adversary  can  exploit  partial  information  about  the  topology 
and  sensor  locations  to  find  an  attack  setting  that  enables  an  unobservable  attack  with  partial 
sensor  observations.  For  instance,  it  can  be  easily  checked  that  the  example  in  Fig.  2  with  C 
consisting  of  the  circled  empty-rectangle  sensors  satisfies  the  conditions.  In  particular,  the  first 
condition  is  satisfied  with  the  cut  that  isolates  bus  115  from  the  rest  of  the  network. 

C.  Subspace  attack  algorithm 

All  the  information  necessary  for  subspace  attack  methods  is  the  subspace  information  of 
IR(H)  or  A (Fl0).  Subspace  estimation  based  on  measurement  data  has  been  actively  studied  in 
the  signal  processing  literature  ( e.g .,  [29],  [30]),  and  thus  subspace  methods  naturally  lead  to  a 
data-driven  algorithm  for  practical  attack  scenarios.  Our  focus  in  this  section  is  to  demonstrate 
how  (any)  subspace  estimator  can  be  used  to  generate  a  data-driven  attack. 

One  of  the  simplest  yet  effective  ways  of  estimating  a  basis  matrix  is  to  use  a  sample  covariance 
matrix.  Let  z1; . . . ,  zK  denote  measurement  vectors  at  K  different  sampling  instances: 

z  i  =  Hxj  -be*,  i  =  1, . . . ,  K.  (14) 

For  simplicity,  suppose  that  the  noise  vectors  ei, . . . ,  eK  are  independent  and  identically  dis¬ 
tributed  (i.i.d.),  the  state  vectors  xi, . . . ,  x^  are  i.i.d.  with  a  positive  definite  covariance  matrix 
Ex,  and  the  noise  vectors  and  the  state  vectors  are  uncorrelated.  Then,  the  covariance  matrix  of 
z  is 

£z  =  E  [(Zl  -  E[Zl])(Zl  -  E[Zl])T]  =  H£xHt  +  cr2I.  (15) 

Note  that  HSXHT  has  rank  n.  Therefore,  if  UAV1  is  a  singular  value  decomposition  (SVD) 
of  £z,  the  n  columns  of  U  that  correspond  to  the  n  largest  singular  values  form  a  basis  of 
k(HSxHT).  Because  (R(HExHr)  is  equivalent  to  (R(H),  the  same  columns  form  a  basis  of 
31(H). 
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Therefore,  in  practice,  we  can  estimate  a  basis  matrix  of  31(H)  by  applying  SVD  to  the  sample 
covariance  matrix  Sz: 

4  7TTT  X>  “  “  ?>T’  <16) 

2—1 

where  z  denotes  the  sample  mean. 

Based  on  the  above  (or  any  other)  subspace  estimator  and  Theorem  3.1,  the  data-driven  attack 
with  full  sensor  observations  operates  as  follows  with  the  observations  {zl5 . . . ,  zK}  and  the 
adversary  sensor  set  SA  as  inputs: 

1)  Subspace  estimation:  Based  on  {zi, . . . ,  zK},  calculate  an  estimate  U  e  MmXTl  0f  a  basis 
matrix  of  1R(H). 

2)  Null  space  estimation:  Obtain  Ui  by  removing  the  rows  of  U  that  correspond  to  the 
sensors  in  SA.  Find  an  SVD  of  Ui,  Ui  =  UAVT,  and  let  v  denote  the  column  of  V  that 
corresponds  to  the  smallest  singular  value  (v  is  an  estimate  of  a  nonzero  element  of  N(U) 
in  Theorem  3.1.) 

3)  Attack:  Modify  the  sensor  data  from  SA  by  adding  the  corresponding  entries  of  //  •  Uv  to 
them,  where  77  e  R  is  a  scaling  factor  to  adjust  the  degree  of  perturbation. 

The  data-driven  attack  with  partial  sensor  observations  can  be  constructed  in  the  same  manner 
based  on  Corollary  3.2.1.  Specifically,  the  attack  receives  (X0,S0,  C)  and  {zi, . . . ,  zK} — the  set 
of  measurements  from  the  sensors  in  S0  at  K  different  time  instances — as  inputs  and  executes 
the  following  steps: 

1)  Subspace  estimation:  Based  on  {zi, . . . ,  zK},  calculate  an  estimate  U0  6  ]^|So| x |x0|  Qf  a 
basis  matrix  of  1R(H0). 

2)  Null  space  estimation:  Obtain  Uc  by  removing  the  rows  of  UG  that  correspond  to  the 
sensors  in  6.  Find  an  SVD  of  Uc:  Uc  =  UAVr.  Let  v  denote  the  column  of  V  that 
corresponds  to  the  smallest  singular  value  (v  is  an  estimate  of  a  nonzero  element  of 
3\f(U0)  in  Corollary  3.2.1.) 

3)  Attack:  Modify  the  sensor  data  from  C  by  adding  the  corresponding  entries  of  77  ■  U0v  to 
them,  where  77  e  R  is  a  scaling  factor  to  adjust  the  degree  of  perturbation. 

IV.  Subspace  methods  for  data  framing  attack 

The  idea  of  data  framing  attack  based  on  full  system  parameter  information  was  first  presented 
in  [23].  In  this  section,  we  demonstrate  data-driven  approaches  of  data  framing  attack  by 
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exploiting  the  subspace  structure  of  sensor  measurements. 

A.  Data  framing  attack 

A  data  framing  attack  aims  to  enable  an  adversary  to  perturb  the  state  estimate  by  an  arbitrary 
degree  even  when  an  unobservable  attack  with  SA  does  not  exist.  To  this  end,  a  data  framing 
attack  frames  some  normally  operating  meters  as  sources  of  bad  data  such  that  their  data  will  be 
removed.  A  critical  parameter  of  data  framing  attack  is  the  set  of  sensors  to  be  framed,  denoted 
by  SF.  The  framed  sensor  set  SF  is  selected  such  that  SF  n  SA  =  0,  and  if  the  sensors  in  SF  are 
removed  from  the  system,  an  unobservable  attack  with  SA  becomes  feasible.  Under  this  selection 
rule,  an  adversary  may  design  an  attack  that  becomes  unobservable  once  the  sensor  data  from 
SF  are  removed  by  the  bad  data  removal  rule. 

To  successfully  make  the  data  from  SF  removed,  one  can  use  an  attack  vector  that  maximizes 
the  energy  of  the  normalized  residues  at  SF  in  the  first  iteration  of  the  bad  data  processing.  Such 
an  attack  design  does  not  necessarily  guarantee  that  all  data  from  SF  will  be  identified  as  bad. 
Nevertheless,  this  is  a  reasonable  heuristic  to  circumvent  the  difficulty  of  analyzing  attack  effect 
on  normalized  residues  in  all  iterations. 

To  simplify  notation,  we  drop  the  superscript  that  denotes  the  first  iteration  of  bad  data 
processing:  all  the  quantities  in  this  section  are  from  the  first  iteration  unless  otherwise  specified. 
The  attack  direction  that  maximizes  the  energy  of  the  normalized  residues  in  the  first  iteration 
can  be  constructed  by  solving  the  following  optimization  [23]: 

maxa  E  [EiGsF(u)2]  (17) 

subj.  ||  a|||  =  1,  aGfk(H1)flA, 

where  HF  e  Mmxn  is  a  matrix  obtained  from  H  by  replacing  the  rows  corresponding  to  the 
sensors  in  SF  with  zero  row  vectors.  The  constraint  a  e  IR(Hi)  holds  if  and  only  if  a  is 
unobservable  after  the  framed  sensor  data  are  removed.  This  constraint  guarantees  that  once  the 
data  from  SF  are  removed,  the  attack  can  have  the  same  effect  as  an  unobservable  attack. 

The  following  theorem  states  that  a  solution  to  (17)  can  be  obtained  without  knowing  H  if 
we  know  a  basis  matrix  of  3?(H). 

Theorem  4.1:  An  adversary  knowing  a  basis  matrix  U  e  E"'xn  of  T(H)  can  find  a  solution 
of  (17).  Specifically,  a  solution  to  the  following  quadratically  constrained  quadratic  programming 
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(QCQP)  is  also  a  solution  to  (17),  and  vice  versa: 

maxa  ||I§FOWa||2 

(ts) 

subj.  ||a|||  =  1,  aeiR(Ui)nyi, 

where  I§F  e  Mlsplxm  is  the  row  selection  operator  that  retains  only  the  rows  corresponding  to 
the  sensors  in  SF  out  of  m  rows, 

W  =  I  —  U(UTU)-1UT, 

12  G  Mmxm  is  a  diagonal  matrix  with 

l/\/w if  Wjj  >  0; 

0  if  W a  =  0, 

and  Ui  G  Mmxn  is  a  matrix  obtained  from  U  by  replacing  the  rows  corresponding  to  the  sensors 
in  Sp  with  zero  row  vectors. 

Proof:  See  Appendix  D.  ■ 

Note  that  addition  of  the  attack  vector  a  changes  the  mean  of  the  residue  vector  from  0  to 
Wa.  And,  I§FliWa/(j  is  the  resulting  mean  of  the  normalized  residues  of  the  data  from  SF. 

B.  Sufficiency  of  partial  measurements 

Similar  to  sufficiency  of  partial  measurements  for  an  unobservable  attack  (Theorem  3.2),  data 
framing  attack  can  also  be  launched  based  on  subspace  information  of  partial  measurements,  as 
stated  formally  in  the  following  theorem.  Below,  we  use  the  notations  defined  in  Section  III-B 
for  the  partial  measurement  case. 

Theorem  4.2:  Suppose  that  the  conditions  1),  2),  and  3)  of  Theorem  3.2  hold  for  S0,  XQ,  and 

C.  Let  {Ci,  C2}  denote  an  arbitrary  partition  of  C.  Let  HA  denote  a  submatrix  of  H  consisting 
of  the  rows  corresponding  to  the  sensors  in  S0  \  C2,  UA  6  Rls°\e2|x|x0  denote  a  basis  matrix  of 
!k(HA),  and  UA  denote  a  submatrix  of  UA  obtained  by  removing  the  rows  corresponding  to  the 
sensors  in  Cy.  Then,  the  following  are  true: 

1)  The  dimension  of  J\f(UA)  is  one. 

2)  For  a  nonzero  vector  v  e  N(UA),  the  attack  that  modifies  the  sensor  data  from  Ci  by 
adding  the  corresponding  entries  in  UAv  to  the  real  data  is  equivalent  to  using  a  ■  a*  as 


(19) 


(20) 
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an  attack  vector,  where  a  is  a  nonzero  real  number,  and  a*  is  an  optimal  solution  to  (17) 
with  (SA,SF)  =  (61,62). 

Proof:  See  Appendix  E.  ■ 

Theorem  4.2  implies  that  knowledge  of  a  basis  matrix  of  3?(HA) — the  subspace  of  measure¬ 
ments  from  S0  \  62 — is  sufficient  for  launching  a  data  framing  attack  with  (SA,  SF)  =  (61,  62). 
Note  that  Theorem  4.2  requires  the  same  conditions  as  Theorem  3.2.  Therefore,  for  an  attack  on 
a  power  grid,  the  graph  conditions  in  Corollary  3.2.2  can  replace  the  conditions  of  Theorem  4.2. 

C.  Subspace  data  framing  attack  algorithm 

Theorem  4. 1  and  Theorem  4.2  guarantee  the  sufficiency  of  subspace  information  in  construct¬ 
ing  data  framing  attacks.  Similar  to  the  data-driven  algorithms  for  unobservable  attacks,  we  can 
incorporate  a  subspace  estimator  and  SVD  to  build  a  data-driven  algorithm  for  data  framing 
attacks. 

The  data-driven  framing  attack  with  full  sensor  observations  receives  sensor  observations 
{zi, . . . ,  zK}  at  K  different  time  instances  and  (SA,  SF)  as  inputs,  and  it  has  two  small  positive 
parameters  c\  and  62  for  thresholding  rules.  Based  on  the  QCQP  formulation  (18),  it  works  as 
follows: 

1)  Subspace  estimation:  Based  on  {zl5 . . . ,  z,K},  calculate  an  estimate  U  6  MmXTl  0f  a  basis 
matrix  of  fk(H). 

2)  Null  space  estimation:  Obtain  Ui  by  removing  the  rows  of  U  that  correspond  to  the 
sensors  in  SAUSF.  Find  an  SVD  of  Ui:  Ui  =  UAVr.  Let  V  denote  the  matrix  consisting 
of  the  columns  of  V  whose  corresponding  singular  values  are  less  than  e^.  Let  UA  G  Mmxn 
be  the  matrix  obtained  from  U  by  replacing  the  rows  corresponding  to  the  sensors  not  in 
SA  with  zero  row  vectors.  Then,  UAV  is  an  estimate  of  a  basis  matrix  of  CR(Ui)  ft  A  i n 
(18)5. 

3)  QCQP  parameter  estimation:  Calculate 

W  =  I  —  U(UTU)-1UT  (21) 

5  A  basis  matrix  of  3t(Ui)  fl  A  in  (18)  can  be  found  by  noting  that  a  £  3t(Ui)  D  A  if  and  only  if  a  =  Uiy  for  some 
y  G  !N(U2)  where  U2  €  R(m”lsAuSFl)xn  js  a  submatrix  of  U  obtained  by  removing  the  rows  corresponding  to  the  sensors  in 
SA  U  SF.  In  other  words,  given  a  basis  matrix  B  of  Xf(U2),  UiB  is  a  basis  matrix  of  3?(Ui)  fl  A. 
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and  ft  G  Wmxm,  which  is  a  diagonal  matrix  with 


raxra 


o 


l/w a  if  W a  >  e2; 
if  W a  <  e2. 


(22) 


4)  QCQP:  Solve  maximizing  ||I§FiTWUAVy|||  subject  to  ||UAVy|||  =  1  and  y  G  Mfc,  where 
k  is  the  number  of  columns  of  V.  Let  y*  denote  the  solution. 


5)  Attack:  Modify  the  sensor  data  from  SA  by  adding  the  corresponding  entries  of  //-UAVy* 


to  them,  where  rj  G  K  is  a  scaling  factor  to  adjust  the  degree  of  perturbation. 

Based  on  Theorem  4.2,  the  data-driven  framing  attack  with  partial  sensor  observations  receives 
(X0,S0,  Ci,  C2)  and  (zi, . . . ,  zK} — the  set  of  measurements  from  the  sensors  in  SG  \  C2  at  K 
different  time  instances — as  inputs  and  executes  the  following  steps: 

1)  Subspace  estimation:  Based  on  {z1; . . . ,  zK},  calculate  an  estimate  UA  G  IRls°\e2lxlxol  Gf 
a  basis  matrix  of  1R(HA). 

2)  Null  space  estimation:  Obtain  Uc  by  removing  the  rows  of  UA  that  correspond  to  the 
sensors  in  C^  Find  an  SVD  of  Uc:  Uc  =  UAVr.  Let  v  denote  the  column  of  V  that 
corresponds  to  the  smallest  singular  value  (v  is  an  estimate  of  a  nonzero  element  of  N(UA) 
in  Theorem  4.2.) 

3)  Attack:  Modify  the  sensor  data  from  Ci  by  adding  the  corresponding  entries  of  r/  •  UAv 
to  them,  where  rj  G  R  is  a  scaling  factor  to  adjust  the  degree  of  perturbation. 


V.  Numerical  results 


In  this  section,  simulations  with  benchmark  power  grids,  the  IEEE  14-bus  network  and 
the  IEEE  118-bus  network,  demonstrate  the  performance  of  data-driven  attacks.  The  nonlinear 
measurement  model  (1)  and  the  nonlinear  state  estimator  were  employed  to  emulate  practical 
power  system  state  estimation.  The  power  system  measurement  model  is  briefly  described  in 
Appenidx  F.  As  an  attack  performance  metric,  we  used  the  /2  norm  of  the  mean  state  estimation 
error,  i.e.,  E[||x  —  x||2],  where  x  is  the  state  estimate,  and  x  is  the  true  state. 

A.  Simulation  methods 

In  each  Monte  Carlo  run,  we  used  the  nonlinear  model  (1)  to  generate  measurement  vectors. 
State  vectors  at  different  time  points  were  assumed  to  be  independent  and  identically  distributed 


May  8,  2014 


DRAFT 


22 


20 


THREE  WINDING 
TRANSFORMER  EQUIVALENT 


Fig.  3.  IEEE  14-bus  network:  The  circled  empty  rectangles  represent  the  adversary  sensors  ( i.e .,  the  sensors  in  S^).  The 
adversary  with  partial  sensor  observations  can  observe  all  the  circled  sensors. 


Gaussian  random  vectors  with  the  mean  equal  to  the  operating  states  given  in  the  IEEE  14-bus 
and  118-bus  data  [181.  The  means  are  far  from  the  nominal  state  that  is  generally  used  in  a 
power  system  to  obtain  the  linearized  model  (4).  The  threshold  of  the  bad  data  detector  {i.e., 
the  J(x)-test)  was  set  to  satisfy  the  false  alarm  constraint  0.04. 

In  each  simulation  scenario,  we  compared  performance  of  three  attack  methods:  an  attack  with 
full  knowledge  of  H,  a  data-driven  attack  with  full  sensor  observations,  and  a  data-driven  attack 
with  partial  sensor  observations.  For  data-driven  attacks,  1000  observations  were  used  to  estimate 
a  basis  matrix  of  the  subspace  of  (either  full  or  partial)  measurements;  the  attacks  employed  the 
subspace  estimator  that  uses  the  sample  covariance  matrix  as  described  in  Section  III-C.  Both 
the  14-bus  network  and  the  118-bus  network  were  assumed  to  be  fully  measured;  i.e.,  all  bus 
injections  and  all  line  flows  (in  both  directions  for  each  line)  were  measured  by  sensors. 
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B.  Data-driven  unobservable  attack 

1)  IEEE  14-bus  test:  In  the  IEEE  14-bus  network,  we  considered  an  adversary  controlling 
data  from  (I),  (3),  (4),  (5),  (1,2),  (2,1),  (1,5),  (5,1),  (2,5),  (5,2),  (2,4),  (4,2),  (4,3),  and 

(3.4) ,  as  illustrated  in  Fig.  3:  (i)  denotes  the  injection  sensor  at  bus  i,  and  (i,j)  denotes  the 
line  flow  sensor  measuring  the  power  flow  from  i  to  j.  Theorem  2.1  and  the  spanning  tree 
observability  criterion  [19]  imply  that  the  adversary  is  capable  of  launching  an  unobservable 
attack  (see  Appendix  F.)  In  addition,  the  adversary  sensor  set  is  also  a  critical  set,  and  thus  all 
possible  unobservable  attack  vectors  are  aligned  along  the  same  direction  (i.e.,  the  dimension  of 
A  D  1R(H)  is  one.) 

An  adversary  with  partial  sensor  observations  was  assumed  to  observe  data  from  (1),  (2),  (3), 
(4),  (5),  (1,2),  (2,1),  (1,5),  (5,1),  (2,5),  (5,2),  (2,4),  (4,2),  (3,4),  (4,3),  (4,5),  (3,2),  (5,6), 
(4,7),  and  (4,9).  In  this  setting,  the  spanning  tree  observability  criterion  can  be  used  to  verify 
that  the  conditions  of  Theorem  3.2  are  satisfied  (see  Appendix  F,)  and  thus  an  adversary  with 
partial  observations  can  construct  an  unobservable  attack  under  the  linearized  model  assumption. 

Fig.  4  shows  the  performance  of  unobservable  attacks,  especially  the  plot  of  the  normalized 
state  estimation  error  versus  the  relative  attack  magnitude  (||a||i/||z||i).  The  mean  state  estimation 
errors  are  normalized  with  respect  to  the  mean  estimation  error  under  the  non-attack  scenario. 
Both  data-driven  attacks  performed  as  well  as  the  attack  with  knowledge  of  H.  The  results 
indicate  that  even  in  a  practical  nonlinear  power  system,  the  data-driven  attacks  designed  based 
on  the  linear  model  can  perform  well,  and  partial  sensor  observations  can  provide  sufficient 
information  for  designing  an  unobservable  attack. 

2)  IEEE  118-bus  test:  In  the  IEEE  118-bus  simulation,  we  considered  unobservable  attacks 
discussed  in  the  example  in  Fig.  2  of  Section  III-B.  Fig.  5  shows  the  plots  of  the  normalized 
state  estimation  error  versus  the  relative  attack  magnitude.  Three  methods  resulted  in  almost  the 
same  degree  of  perturbation  on  the  state  estimate.  The  results  demonstrate  that  observing  data 
from  a  small  fraction  of  sensors  can  be  sufficient  for  launching  an  unobservable  attack  on  a 
large  system;  only  about  2  percent  of  sensors  need  to  be  observed. 

C.  Data-driven  framing  attack 

1)  IEEE  14-bus  test:  For  data  framing  attacks,  we  considered  an  adversary  who  controls  (4), 

(1.5) ,  (5,1),  (5,2),  (4,2),  (4,3),  and  (3,4),  and  frames  (1),  (3),  (5),  (1,2),  (2,1),  (2,5),  and 
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l|a||i/||z||i(%) 


Fig.  4.  Unobservable  attacks  on  the  14-bus  network:  the  sensor  SNR  is  46dB.  Attacks  with  the  relative  attack  magnitudes  2, 
4,  6,  and  8  %  were  tested.  For  each  scenario,  1,000  Monte  Carlo  runs  are  used. 


llalli/IMIr(%) 


Fig.  5.  Unobservable  attacks  on  the  118-bus  network:  the  sensor  SNR  is  46dB.  Attacks  with  the  relative  attack  magnitudes  2, 
4,  and  6  %  were  tested.  For  each  scenario,  200  Monte  Carlo  runs  are  used. 


(2,4)  as  sources  of  bad  data.  Under  this  setting,  an  adversary  cannot  launch  an  unobservable 
attack.  An  adversary  with  partial  observations  was  assumed  to  observe  data  from  (2),  (4),  (1,  5), 
(5,1),  (5,2),  (4,2),  (3,4),  (4,3),  (4,5),  (3,2),  (5,6),  (4,7),  and  (4,9).  This  setting  satisfies  the 
conditions  of  Theorem  4.2  and  enables  an  adversary  with  partial  sensor  observations  to  launch 
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Normalized  state  estimate  error.  False  alarm  rate  =  0.04. 


Fig.  6.  Data  framing  attacks  on  the  14-bus  network:  the  sensor  SNR  is  46dB.  Attacks  with  the  relative  attack  magnitudes  1, 
2,  3,  and  4  %  were  tested.  For  each  scenario,  1,000  Monte  Carlo  runs  are  used. 


a  data  framing  attack  under  the  linearized  model  assumption  (see  Appendix  F.) 

Fig.  6  shows  the  plots  of  the  normalized  state  estimation  error  versus  the  relative  attack 
magnitude.  The  results  show  that  even  when  an  unobservable  attack  is  not  feasible,  an  adversary 
may  exploit  the  idea  of  data  framing  to  perturb  the  state  estimate  by  an  arbitrary  degree. 
Furthermore,  the  results  indicate  that  partial  sensor  observations  are  sufficient  for  designing 
a  data  framing  attack. 

2)  IEEE  118-bus  test:  We  considered  an  adversary  attacking  the  part  of  the  118-bus  network 
illustrated  in  Fig.  2.  The  adversary  was  assumed  to  control  (114, 115),  (115, 114),  and  (27, 115), 
and  frame  (114),  (115),  (27),  and  (115,27)  as  sources  of  bad  data.  An  adversary  with  partial 
sensor  observations  was  assumed  to  observe  data  from  the  circled  sensors  in  Fig.  2  except 
(114),  (115),  (27),  and  (115,27).  The  graph  conditions  of  Corollary  3.2.2  are  satisfied,  and  thus 
an  adversary  with  partial  observations  is  capable  of  launching  a  data  framing  attack  under  the 
linearized  model  assumption. 

Fig.  7  shows  the  plots  of  the  normalized  state  estimation  error  versus  the  relative  attack 
magnitude.  The  results  demonstrate  the  sufficiency  of  partial  sensor  observations  for  designing 
a  data  framing  attack  in  a  large  network. 
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Nli/IMIi(96) 


Fig.  7.  Data  framing  attacks  on  the  118-bus  network:  the  sensor  SNR  is  46dB.  Attacks  with  the  relative  attack  magnitudes 
0.8,  1.6,  and  2.4  %  were  tested.  For  each  scenario,  200  Monte  Carlo  runs  are  used. 


VI.  Conclusions 

This  paper  presents  subspace  methods  of  data  attacks  on  state  estimators  of  cyber  physical 
systems.  By  exploiting  the  fact  that  subspace  information  of  measurements  is  sufficient  for 
designing  attacks,  we  devised  data-driven  attacks  that  can  be  launched  based  on  partial  sensor 
observations.  The  numerical  results  demonstrated  that  the  data-driven  attacks  are  as  efficient  as 
the  attacks  based  on  full  system  information. 

Our  results  demonstrate  that  one  should  not  presumably  underestimate  the  ability  of  an 
adversary  even  when  system  information  is  secure  from  the  adversary.  Even  a  leak  of  a  small 
fraction  of  certain  sensor  measurements  may  provide  enough  data,  upon  which  state  attacks  can 
be  constructed. 

Most  countermeasures  in  the  literature  focused  on  protecting  certain  sensor  data  from  adver¬ 
sarial  modification  via  data  authentication,  while  assuming  that  system  parameters  are  known  to 
adversaries  ( e.g .,  [7],  [9],  [12],  [20]).  In  case  that  system  parameter  information  is  kept  secure, 
our  results  demonstrate  that  not  only  the  ability  to  modify  data  but  also  the  ability  to  observe 
data  are  critical  to  an  adversary.  Therefore,  as  a  countermeasure,  on  top  of  a  data  authentication 
strategy,  one  can  strategically  enhance  data  encryption  and  access  control  protocols  to  limit  the 
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set  of  data  an  adversary  may  eavesdrop. 


Appendix  A 
Proof  of  Theorem  2.1 

Let  H  denote  the  measurement  matrix  after  the  sensors  in  SA  are  removed;  i. e. ,  H  is  obtained 
from  H  by  removing  the  rows  corresponding  to  the  adversary  sensors.  Then,  Hy  is  in  A  if  and 
only  if  y  is  in  3\f(H) — the  null  space  of  H.  This  implies  that  an  unobservable  attack  is  feasible 
if  and  only  if  H  does  not  have  full  column  rank  (i.e.,  A  (  IT  )  has  a  nonzero  dimension.)  ■ 

Appendix  B 
Proof  of  Theorem  3.1 

The  columns  of  U  span  31(H).  In  addition,  because  U  and  H  have  the  same  number  of 
columns,  U  does  not  have  full  column  rank  if  and  only  if  H  does  not  have  full  column  rank. 
Therefore,  Theorem  2.1  implies  that  an  unobservable  attack  is  feasible  if  and  only  if  U  does 
not  have  full  column  rank. 

Suppose  that  an  unobservable  attack  is  feasible.  Then,  U  is  rank  deficient,  and  we  can  find 
a  nonzero  vector  v  e  AT(U).  With  a  =  Uv,  a  is  in  A  because  Uv  has  zero  entries  for  the 
sensors  not  in  SA  (i.e.,  Uv  =  0).  In  addition,  there  exists  an  invertible  matrix  B  e  M"x"  such 
that  H  =  UB,  and  U  =  HB-1,  because  H  has  full  column  rank.  Therefore,  Uv  =  H(B_1v), 
and  thus  a  is  an  unobservable  attack  vector.  ■ 

Appendix  C 
Proof  of  Theorem  3.2 

Let  H  denote  the  submatrix  of  H  obtained  by  removing  the  rows  corresponding  to  the  sensors 
in  C.  Then,  N(H)  is  not  null  due  to  the  third  assumption.  Let  y  denote  a  nonzero  vector  in 
N(H)  and  yG  denote  a  subvector  of  y  obtained  by  retaining  only  the  rows  corresponding  to  the 
state  variables  in  XG.  In  addition,  let  Hs  denote  a  submatrix  of  Hc  obtained  by  retaining  only 
the  columns  corresponding  to  the  state  variables  in  X0  (note  that  all  the  other  columns  of  H0  are 
zero  vectors.)  And,  Hs  denotes  a  submatrix  of  Hs  obtained  by  removing  the  rows  corresponding 
to  the  sensors  in  C. 
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First,  note  that  aQ  £  A0  if  and  only  if  a0  =  Hsp  for  some  p  £  N(HS).  In  addition,  because  C 
is  a  critical  set  with  respect  to  (SQ,  XG),  N(HS)  has  dimension  one.  Note  that  Hsy0  =  0  whereas 
Hsy0  7^  0.  This  implies  that  yG  ^  0,  and  {yQ}  is  a  basis  of  N(HS).  Therefore,  {Hsy0}  is  a  basis 
of  A0. 

Therefore,  for  any  nonzero  a0  £  A0,  there  exists  a  nonzero  a  £  E  such  that  a,,  =  a  •  Hsy0. 
Furthermore,  Hsy0  =  H0y  implies  that 

a 0  =  a  •  H0y.  (23) 

In  addition,  Hy  =  0  implies  that  the  attack  that  modifies  the  data  from  C  by  adding  the 
corresponding  entries  of  aQ  to  the  actual  data  is  equivalent  to  using  a  ■  Fly  as  an  attack  vector, 
which  is  unobservable.  So,  the  attack  is  unobservable.  ■ 


Appendix  D 
Proof  of  Theorem  4.1 

The  normalized  residues  in  the  first  iteration  are  affected  by  the  attack  a  as  follows: 


f  =  OW(z  +  a)  =  nWe  +  STWa, 


(24) 


which  can  be  derived  from  (7)  and  (11).  Note  that  (f2We)j  follows  a  standard  normal  distribution 
(due  to  the  normalization)  if  {i}  is  not  a  critical  set;  (fiW e)j  is  zero  otherwise.  Therefore,  r* 
follows  the  normal  distribution  Af((f2Wa)j,  1)  if  {?'}  is  not  a  critical  set;  otherwise,  f,  is  equal 
to  (fiWa)j. 

Therefore,  the  expected  energy  of  the  normalized  residues  at  SF  in  the  presence  of  the  attack 
a  is  ^ 


E 


_iESp 


^(«Wa)?  +  C  =  ||ISpriWa||l  +  c, 

f 


(25) 


where  C  is  the  number  of  sensors  in  SF  that  do  not  form  a  single  element  critical  set. 

Consequently,  a  solution  to  (17)  is  also  a  solution  to  the  following  problem,  and  vice  versa: 

maxa  ||ISFOWa||l 

(26) 

subj.  || a|||  =  1,  a  £  31(^)0  71, 

The  theorem  statements  follow  from  the  following  observations:  W  is  equal  to  W  as  both 
are  orthogonal  projections  on  the  same  space,  and  fk(Hi)  is  equivalent  to  T(U i ).  ■ 
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Appendix  E 
Proof  of  Theorem  4.2 

Let  H  denote  the  submatrix  of  H  obtained  by  removing  the  rows  corresponding  to  the  sensors 
in  C.  First,  from  the  proof  procedure  of  Theorem  3.2,  one  can  derive  that  the  dimension  of  N(H) 
is  one.  This  implies  that  C  contains  exactly  one  critical  set.  Because,  if  there  were  more  than 
one  critical  sets  included  in  C,  3\f(H)  should  have  a  dimension  larger  than  one. 

Because  SA  U  SF  =  C  contains  exactly  one  critical  set,  the  dimension  of  CR(Hi)  D  A  in  (17)  is 
one.  This  can  be  seen  as  follows.  The  dimension  of  fR(Hi)  D  A  in  (17)  is  equal  to  the  dimension 
of  M  IT 2 )  where  H2  is  the  matrix  obtained  from  H  by  removing  the  rows  corresponding  to  the 
sensors  in  SA  U  SF.  And,  the  fact  that  SA  U  SF  contains  exactly  one  critical  set  implies  that  the 
rank  of  H2  is  n  —  1,  and  thus  the  dimension  of  N(H2)  is  1. 

Therefore,  (17)  has  only  two  feasible  points,  and  they  give  the  same  objective  function  values. 
In  particular,  a  solution  to  (17)  is  the  direction  given  by  II,  Ax  where  Ax  is  a  nonzero  vector 
in  3\f(H2)  (see  [23]  for  more  detailed  arguments.) 

The  first  and  second  conditions  of  Theorem  3.2,  which  are  assumed  to  hold,  imply  that  the 
dimension  of  N(UA)  is  one.  In  addition,  it  can  be  seen  from  Corollary  3.2.1  that  the  second 
statement  is  true  for  a*  =  HiAx  and  some  nonzero  a.  ■ 

Appendix  F 

Power  grid  measurement  model  and  observability 

In  this  section,  we  briefly  describe  the  power  system  measurement  model  and  the  spanning-tree 
observability  criterion  in  [19].  The  spanning-tree  observability  criterion  results  in  Corollary  3.2.2 
from  Theorem  3.2.  For  more  details  about  power  system  models,  see  [26]. 

The  power  system  state  is  defined  as  the  vector  of  voltage  magnitudes  and  phase  angles  at  all 
buses  except  a  reference  bus,  which  is  an  arbitrary  bus  whose  voltage  phase  angle  is  set  to  zero: 

x  =  [Vi  V2  ■  ■  ■  Vn  02  ■■■  0n]T  (27) 

where  Vt  and  0,  denote  the  voltage  magnitude  and  phase  angle  at  bus  1  respectively,  and  bus  1 
is  set  as  the  reference  bus. 
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We  consider  two  types  of  legacy  sensors:  line  flow  sensors  and  bus  injection  sensors6.  The 
line  flow  from  bus  i  to  bus  j  is  a  complex  quantity  related  to  the  system  state  by 


(28) 


where  Ptj  e  R  and  Qi:j  e  R  are  real  and  imaginary  parts  of  the  line  flow  respectively,  is  the 
impedance  of  the  line  {i,  j},  and  X*  denotes  the  complex  conjugate  of  X.  The  bus  injection  at 
bus  i  is  the  sum  of  all  outgoing  line  flows  from  bus  i. 

For  computational  benefits,  the  above  nonlinear  relation  is  often  linearized  at  the  nominal 
operating  point  where  all  bus  voltage  magnitudes  are  equal  to  1  p.u.,  and  all  bus  voltage  phase 
angles  are  equal  to  zero.  This  linearization  decouples  the  relation  such  that  the  real  part  of 
measurements  depends  only  on  the  voltage  phase  angles,  and  the  imaginary  part  depends  only 
on  the  voltage  magnitudes. 

The  linearized  relation  between  the  real  part  of  measurements  and  the  voltage  phase  angles — 
the  so-called  DC  model — is  often  used  to  analyze  power  system  observability.  In  the  DC  model 
(4),  the  state  x  is  defined  as  the  vector  of  voltage  phase  angles  at  all  buses  except  the  reference 
bus: 


[02  03  0n]T ■ 


(29) 


x  = 


The  measurement  matrix  H  depends  on  the  topology  and  line  impedance7. 

The  power  system  is  observable  if  and  only  if  H  has  full  column  rank  [19].  Verifying  this  rank 
condition  seems  to  require  knowledge  of  the  line  impedance.  However,  Krumpholz  et  al.  [19] 
showed  that  system  observability  can  be  determined  purely  based  on  the  topology  and  sensor 
locations.  In  particular,  Krumpholz  et  al.  [19]  showed  that  a  system  is  observable  if  and  only  if 
there  exists  a  way  to  assign  each  injection  sensor  to  any  of  the  lines  that  are  incident  to  the  bus 
where  the  sensor  is  located  such  that  there  exists  a  spanning  tree  of  the  topology  having  at  least 

6Other  types  of  sensors  ( e.g .,  phasor  measurement  units)  can  also  be  considered.  We  impose  this  restriction  merely  to  facilitate 
clearer  presentation. 

7To  describe  the  entries  of  H,  we  consider  a  noiseless  measurement  vector  z  =  Hx  for  simplicity.  Suppose  that  the  fcth 
entry  of  z  is  a  measurement  from  a  line  flow  sensor  measuring  the  line  flow  from  bus  i  to  j.  Then,  if  the  line  is  connected, 
Zk  =  —  9j),  where  Bij  is  the  susceptance  of  the  line;  if  the  line  is  not  connected,  Zk  =  0.  In  case  that  Zk  corresponds 

to  an  injection  sensor  at  bus  i,  Zk  is  the  sum  of  all  the  outgoing  line  flows  from  bus  i. 
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one  sensor  (an  assigned  injection  or  line  flow  sensor)  on  each  edge  of  the  tree  (see  Corollary  2 
in  [19].) 

The  spanning  tree  criterion  can  also  be  used  to  check  whether  the  state  variables  in  X0  are 
observable  with  respect  to  SQ  (we  use  the  notations  in  Section  III-B.)  Without  loss  of  generality, 
we  assume  that  S0  contains  an  injection  sensor  on  the  reference  bus  or  a  line  flow  sensor  on  a 
line  incident  to  the  reference  bus8.  Then,  we  can  simply  apply  the  spanning  tree  criterion  to  the 
reduced  network  for  SQ  (see  Section  III-B  for  the  definition  of  a  reduced  network.)  The  state 
variables  in  X0  are  observable  with  respect  to  SQ  if  and  only  if  it  is  possible  to  assign  injection 
sensors  in  SQ  to  their  neighboring  lines  such  that  a  spanning  tree  of  the  reduced  network  with 
at  least  one  sensor  in  SG  on  every  edge  exists. 
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